On May 3, 2008, at 3:44 PM, Frank Ellermann wrote: > SM wrote: > >> SenderID and SPF does not authenticate the sender. > > For starters they have different concepts of "sender", PRA and > envelope sender, and RFC 4408 section 10.4 offers references (AUTH + > SUBMIT) for folks wanting more. Agreed. Neither SenderID or SPF offers authentication. Both of these schemes provide a method for domains to _authorize_ IP addresses used by SMTP clients. This can not be described as authentication since SMTP clients are often shared by more than one domain. This scheme is fully dependent upon secure routing through questionable boundary issues. In addition to the section 10.4 references, DKIM is another possible choice. -Doug _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf